On November 7, 2014 the Wall Street Journal published "Home Depot Hackers Exposed 53 Million Email Addresses" regarding the big box retailer's recent credit card data breach. Similar to the attack on Target consumers that occurred during the 2013 holiday season, hackers allegedly accessed Home Depot's networks via a vendor system.
This incident underscores the importance of performing due diligence with all vendor relationships, before, during and after contracting services. Lessons learned from both of these high profile breaches can benefit other organizations. The following best practices should be carefully considered:
- Ask to review vendor reports on background checks conducted on any employees who may have access to sensitive data.
- Review the company's written data governance policies and breach response procedures.
- Obtain results of any internal or external data security audits, and find out how often these audits are conducted.
- Ask for details on any prior data security incidents the vendor may have experienced.
- Know exactly where your data resides, and be sure you know where your vendor may be sending it.
- Contracts with vendors should have indemnity language included, where the vendor holds the organization harmless for breaches of data being held. There should also be a termination agreement that allows the organization to gain control of the data in the event of a breach.
- Demand proof of insurance coverage that will cover both the vendor and the organization in the event of a breach.
Visit HUB International's full suite of cyber risk management resources on the Crisis Management Center and Learning Center to learn more about preparing for, preventing and recovering from a data breach. HUB's experienced Risk Services professionals can help you develop and implement a strategic data breach prevention and recovery plan that is unique to your specific business needs. Contact us today.